You may have already heard that a security researcher has found a flaw that affects the security of all WiFi. While some action is needed to prevent being impacted, fixes are available now or will be soon. Preparation for future problems may be necessary, however.
Remember that this is simply a report on an important vulnerability, and that we work with vulnerability every day. :)
The person who discovered this flaw, Mathy Vanhoef, decided to name it KRACK. Many puns both clever and not were inspired by this naming choice, but we’ll spare you.
What Does This Flaw Do?
First: know that this flaw was discovered by a researcher (Mathy) whose goal is to make the world safer for people using computers, as opposed to being discovered by bad guys who are actively using it for nefarious purposes. So it’s something we need to prepare for in the nearish future. It’s probably not something that will impact you right now.
The flaw that was discovered would, essentially, make any secure WiFi (the WiFi with the little lock icon next to its name) no longer entirely secure against nearby bad guys who are using the hack. Said bad guys might be able to unencrypt the information you send and receive over WiFi.
If you connect to compromised WiFi with an Android phone or Linux computer, the bad guy can unencrypt everything you exchange with the WiFi router. For other kinds of devices, they have a harder time unencrypting, but they potentially can do so.
They could also set up situations that cause you to download and install viruses or view fake web site content that the bad guy made up just for you. Wouldn’t that be special?
There may also be other creatively evil-minded uses for the hack that Mathy didn’t anticipate, of course.
Yes, this flaw is very broad in its impact. It can make a person think their WiFi session is protected by encryption and authentication when, in fact, it is not. It’s a good thing that Mathy discovered the flaw before bad guys figured out a way to exploit it en masse!
What Does This Flaw Not Do?
The flaw cannot be used to unencrypt or otherwise interfere with the information you exchange when visiting secure websites (the ones that use HTTPS and have a lock icon in the corner of your browser window.)
Generally, online services that engage in HIPAA Business Associate Agreements, and that handle protected health information for clinicians, use these secure connections when you log in to them. Be sure to look for the lock icon when connecting.
If you use a VPN when connecting to the Web, that will also provide protection against this flaw to the extent that your VPN service protects your connections. Different VPNs offer different kinds of protection with differing levels of reliability, so we cannot say for sure what protection any given VPN provides against this flaw.
How Do I Prepare For It?
There are two things to consider in preparing to stop this flaw from impacting you or your clients. One is updating the software on your smartphones and computers. That part is pretty simple. The second part might or might not be more complex, depending on what kinds of gear you have and how you use it.
We’ll discuss both things.
Updating Your Computers and Smartphones
Even though this flaw technically impacts both WiFi routers and the devices that connect to them (e.g. smartphones and computers), the bad guys who wish to use it can still be defeated just by patching the software in your computers and smartphones. Doing so will ensure that those devices are safe from this flaw even if they are connected to WiFi that has been compromised by a bad guy.
We have evidence that Apple’s next major software updates all contain a patch for KRACK. For Macintoshes, you should already be installing all the security updates as they get released, but this one will be especially important.
For iPhones and iPads, they just released iOS 11.0.4 and it appears the patch will come in iOS 11.1. So if you’re like me and you prefer not to install new operating systems until the kinks get ironed out, we can both continue procrastinating until iOS 11.1 and still get that important security update for our favorite Apple accoutrement.
Windows Computers and Surface Tablets
Microsoft was all over this one. Windows got the patch before the flaw was even announced. I know that no one likes waiting for the constant deluge of Windows updates to install every time you try to turn off your computer, but this one is worth waiting for.
Android Phones and Tablets
So… Android has this thing where there are a bunch of different device makers and very little consistency in getting security patches out to everyone’s Android gear. We know that Google is formulating a security fix as we speak, but we can’t say what that means for getting that fix to your Android device. We can guess that if you have a Pixel or Nexus (Google makes those), then you’ll likely get the update soon. That’s probably true of Samsung’s nicer phones and tablets, too.
Simply keep an eye out for security updates. If October ends and you still haven’t seen an update for your Android phone, try contacting the phone’s maker or the cellular service company where you bought it.
The Problem: Devices With No Updates Available
It’s great that we can protect phones and computers from KRACK just by updating them, but that only works for our gear that is updatable.
Also, Apple will probably not release a security patch for iOS 10. They’ll likely just stick to the newer iOS 11. So you’re probably okay if you have an iPhone 5s or newer model, because they can use the most recent iOS 11 software. The iPhone 5 or older models can’t do iOS 11 and so you won’t be able to protect them. (BTW, if you like the size of the iPhone 5 and don’t like the big phones, get the lesser-known iPhone SE. It’s the same size and shape as an iPhone 5 but with more advanced innards.)
If you have a computer or phone that is no longer supported and you can’t get security updates for it, we recommend that it’s time to either get updated gear or never use that unsupported gear to connect to WiFi.
We know that there are some specialized medical software packages (e.g. biofeedback software, etc) that can only run on older computers. That’s fine. Just don’t connect those older computers to WiFi. You can plug them directly into the router with a cable in order to get an Internet connection. That method won’t be vulnerable to KRACK.
Now that we’ve covered the protection of our computers and phones, that brings us to all the other things in our lives that might connect to WiFi. In other words…
The Internet of Things (“Iot”)
“Internet of Things” refers to the growing volume of WiFi-enabled stuff in our homes and offices. For example, that WiFi-enabled toaster than texts you when your toast is done is part of the “Internet of Things.”
In our offices, more common “things” may include printers, scanners, security cameras, and the like. A significant challenge posed by KRACK is figuring out what to do with gear whose WiFi software won’t get updated. Many of our WiFi routers are too old to get updates or we just don’t have the tech skills to apply the updates. The same is true of most of those “Internet of Things” items, such as wireless printers.
This is a good point for risk analysis. If your wireless printer can be connected to computers with a cable, it’s probably worth just turning off the printer’s WiFi connection feature and making a practice of getting up to go connect your computer to the printer when you need to print.
Or you may even decide that your office’s WiFi is unlikely to be vulnerable to KRACK simply because the WiFi signal doesn’t reach past the waiting room (be careful of bad guys in the waiting room with a signal repeater, though!)
At the time of writing, KRACK is not easy for bad guys to use because they have to be within range of your WiFi signal to even try it. It’s possible that enterprising criminal types may come up with an easy-to-use tool for taking advantage of KRACK. Then it could become much easier for bad guys to use. We’ll let you know if that happens.
But until then, be careful not to let fear of KRACK get you down or make your life unnecessarily difficult.